FortiSIEM Discussions
dmontgomery
New Contributor III

Notifications status failed

I had configured our email server and setup notifications for rules i.e account lockout. It was working in the past but suddenly stopped. I can successfully send a test email from the super but when I view incidents I can see account lockouts but the Notification Status shows as failed and we are not getting the email notification. "Failed" is kind of vague. Is there anywhere else I can look to get an indication of why it is failing?

 

notification status.jpg                                 

1 Solution
dmontgomery
New Contributor III

The issue is resolved. A Homer Simpson moment.

 

The service account password was changed and I was able to enter it for the test email but I neglected to hit the save button before leaving the email settings screen.

 

Maybe a "Do you want save your changes" prompt should be a future feature.

 

Thanks everyone.

View solution in original post

7 REPLIES 7
dmontgomery
New Contributor III

I tried to query the phoenixDB but the action_error is unpopulated.

select action_error, action_result, action_name from ph_notification_action_result where
action_result='Failed';
action_error | action_result | action_name
--------------+---------------+------------------------------------------
                     | Failed           | Email sent to ~
 
 
premchanderr

Hi,

 

You can check in logfile  /opt/glas*/dom*/dom*/logs/phoenix.log to view errors related to notification. If you need any assistance better to open a ticket in Fortinet support since issue is specific to your environment and maintain privacy of details. 

If test is successful , but notifying mail is failed probably the exchange server has reached some limit. 

Regards,
Prem Chander R
Secusaurus


If test is successful , but notifying mail is failed probably the exchange server has reached some limit. 


Yes, this is also a possible reason; depending on the amount of notifications being sent for one incident, some mail servers will deny some or all of them.

FCP & FCSS Security Operations | Fortinet Advanced Partner
FCP & FCSS Security Operations | Fortinet Advanced Partner
dmontgomery

Thanks I will check

Secusaurus
Contributor

Hi @dmontgomery,

 

First, the obvious thing you probably already checked: Many mail providers require you to specify the same sender address as reply-to address as the user account. If you set anything else there, some mail providers block the incoming mail directly. If your provider did not do this before, but recently changed that without notice, this could be the easiest reason (because, in the test you will likely insert the correct sender but probably did not notice that the general setting is set to a different one).

From the Fortinet TAC:


In the past versions, FSM was sending emails as notifier@<super hostname>.<domain>.com that could cause some issues with the SMTP server policies but now in v7.x, it's using "Default Email Sender" from Admin> Setup> Email.
You may try to reset values in that screen.


 

Now, something beyond that:

We had a very similar issue for a long time with multiple Fortinet-products (including FortiAnalyzer and FortiAuthenticator). Tests went fine, but the real mails (incident notifications, reports, status messages, etc.) did not come through for all of these products. On the FSM, it resulted in the log message "Exception reading response", which is very generic, unfortunately.

As soon as I enabled SSL-decryption and mirrored the traffic to investigate further, the issue was gone. So it looked like a certificate validation error from the client side (no trust in the SMTP server?).

Because we had some other issues, we switched to an account of another mail provider, in our case from Strato to Microsoft. That included a change of the port as well (not default SMTP/SMTPS anymore) and fixed the issue immediately. I am not sure, if the reason is the mail provider or the port, but I would recommend to try another provider first to see if you still have an issue there.

 

Best,

Christian

FCP & FCSS Security Operations | Fortinet Advanced Partner
FCP & FCSS Security Operations | Fortinet Advanced Partner
dmontgomery
New Contributor III

Our exchange servers on Prem. The sender is an AD service account with a mailbox. The scenario above does not account for why it worked up until just over a week ago then suddenly stopped. The ph_notification_action_result does show when it was successful.

 

 

 

dmontgomery
New Contributor III

The issue is resolved. A Homer Simpson moment.

 

The service account password was changed and I was able to enter it for the test email but I neglected to hit the save button before leaving the email settings screen.

 

Maybe a "Do you want save your changes" prompt should be a future feature.

 

Thanks everyone.